We can rely on the SPNEGO authentication as the barrier to use PQS, but then defer to the impersonation check that HBase is already doing as to which PQS instances are allowed to talk to HBase (defined by core-site.xml).